Session cookie not enforced secure in production

[Nixxx19]

p5.js version

No response

What is your operating system?

None

Web browser and version

No response

Actual Behavior

Session cookie is set with secure: false hardcoded in server/server.js. Session cookies can be sent over HTTP, increasing session hijacking risk if the app is (or is ever) served over HTTP in production.

Location: server/server.js line 94

Expected Behavior

In production (NODE_ENV === 'production'), the session cookie should have secure: true so it is only sent over HTTPS.

Steps to reproduce

1. Open server/server.js and find the session cookie config.
2. Confirm secure: false is set with no environment-based override.
3. In production over HTTPS, cookie could still be sent over HTTP if there is any downgrade or misconfiguration.

Snippet:

// server.js
cookie: {
  httpOnly: true,
  secure: false,   // should be true in production
  maxAge: 1000 * 60 * 60 * 24 * 28
}

[Nixxx19]

Hi @raclim!
I'd love to work on this issue and submit the fix for it. I'll set the session cookie secure flag from NODE_ENV so it's true in production and false in development.

[Nishthajain7]

@raclim I have submitted a fix for this issue.